Also of note, the SANS' Top Cyber Security Risks report of September 2009 refers to this document as, "Best Practices in Mitigation and Control of The Top Risks."

Here are the twenty critical controls:

Inventory of authorized and unauthorized devices

Inventory of authorized and unauthorized software

Secure configurations of hardware and software on laptops, workstations, and servers

Secure configurations for network devices such as firewalls, routers, and switches

Boundary defense

Maintenance, monitoring, and analysis of Security Audit Logs

Application software security

Controlled use of administrative privileges

Controlled access based on need to know

Continuous vulnerability assessment and remediation

Account monitoring and control

Malware defenses

Limitation and control of network ports, protocols, and services

Wireless device control

Data loss prevention

Secure network engineering

Penetration tests and red team exercises

Incident response capability

Data recovery capability

Security skills assessment and appropriate training to fill gaps

I find this document compelling because of its breadth and brevity at only 49 pages. Furthermore, for each control it lays out "Quick Wins … that can help an organization rapidly improve its security stance generally without major procedural, architectural, or technical changes to its environment," and three successively more comprehensive categories of subcontrols.